diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
index 1e83ff4f..0529a22a 100644
--- a/.github/workflows/base-deploy.yml
+++ b/.github/workflows/base-deploy.yml
@@ -131,6 +131,9 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+
         working-directory: ./infrastructure
         shell: bash
         run: |
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
index 0c0977b1..2dc06cb3 100644
--- a/.github/workflows/cicd-2-publish.yaml
+++ b/.github/workflows/cicd-2-publish.yaml
@@ -93,13 +93,15 @@ jobs:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
-      - name: "Terraform Plan Stacks"
+      - name: "Terraform Apply"
         env:
           ENVIRONMENT: dev
           WORKSPACE: "default"
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
 
         # just planning for now for safety and until review
         run: |
diff --git a/.github/workflows/cicd-3-test.yaml b/.github/workflows/cicd-3-test.yaml
index d9ef5af5..bcd0609d 100644
--- a/.github/workflows/cicd-3-test.yaml
+++ b/.github/workflows/cicd-3-test.yaml
@@ -119,7 +119,8 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml
index dd34483f..8d29e423 100644
--- a/.github/workflows/manual-terraform-apply.yaml
+++ b/.github/workflows/manual-terraform-apply.yaml
@@ -63,7 +63,8 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan args=\"-auto-approve\""
diff --git a/infrastructure/modules/lambda/kms.tf b/infrastructure/modules/lambda/kms.tf
index 55c5133f..738cb32b 100644
--- a/infrastructure/modules/lambda/kms.tf
+++ b/infrastructure/modules/lambda/kms.tf
@@ -7,7 +7,7 @@ resource "aws_kms_key" "lambda_cmk" {
 }
 
 resource "aws_kms_alias" "lambda_cmk" {
-  name          = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.lambda_func_name}-cmk"
+  name          = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.lambda_func_name}-key"
   target_key_id = aws_kms_key.lambda_cmk.key_id
 }
 
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
index f31a6e76..717fbb0a 100644
--- a/infrastructure/modules/lambda/lambda.tf
+++ b/infrastructure/modules/lambda/lambda.tf
@@ -1,5 +1,5 @@
 resource "aws_lambda_function" "eligibility_signposting_lambda" {
-  #checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, yet
+  #checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, as the requests are synchronous
   #checkov:skip=CKV_AWS_115: Concurrent execution limit will be set at APIM level, not at Lambda level
   #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238
   # If the file is not in the current working directory you will need to include a
@@ -11,7 +11,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   source_code_hash = filebase64sha256(var.file_name)
 
-  runtime     = "python3.13"
+  runtime     = var.runtime
   timeout     = 30
   memory_size = 2048
 
@@ -28,12 +28,35 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
 
   kms_key_arn = aws_kms_key.lambda_cmk.arn
 
+  publish = true
+
   vpc_config {
     subnet_ids         = var.vpc_intra_subnets
     security_group_ids = var.security_group_ids
   }
 
+  layers = compact([
+  var.environment == "prod" ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:${var.lambda_insights_extension_version}" : null
+  ])
+
   tracing_config {
     mode = "Active"
   }
 }
+
+# lambda alias required for provisioning concurrency
+resource "aws_lambda_alias" "campaign_alias" {
+  count            = var.environment == "prod" ? 1 : 0
+  name             = "live"
+  function_name    = aws_lambda_function.eligibility_signposting_lambda.function_name
+  function_version = aws_lambda_function.eligibility_signposting_lambda.version
+}
+
+# provisioned concurrency - number of pre-warmed lambda containers
+resource "aws_lambda_provisioned_concurrency_config" "campaign_pc" {
+  count                             = var.environment == "prod" ? 1 : 0
+  function_name                     = var.lambda_func_name
+  qualifier                         = aws_lambda_alias.campaign_alias[0].name
+  provisioned_concurrent_executions = var.provisioned_concurrency_count
+}
+
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
index 229c1fbb..92d9d081 100644
--- a/infrastructure/modules/lambda/variables.tf
+++ b/infrastructure/modules/lambda/variables.tf
@@ -1,5 +1,10 @@
 variable "eligibility_lambda_role_arn" {
-  description = "lambda read role arn for dynamodb"
+  description = "lambda role arn"
+  type        = string
+}
+
+variable "eligibility_lambda_role_name" {
+  description = "lambda role name"
   type        = string
 }
 
@@ -8,6 +13,12 @@ variable "lambda_func_name" {
   type        = string
 }
 
+variable "runtime" {
+  description = "runtime of the Lambda function"
+  type        = string
+}
+
+
 variable "vpc_intra_subnets" {
   description = "vpc private subnets for lambda"
   type        = list(string)
@@ -52,3 +63,13 @@ variable "enable_xray_patching"{
   description = "flag to enable xray tracing, which puts an entry for dynamodb, s3 and firehose in trace map"
   type        = string
 }
+
+variable "provisioned_concurrency_count" {
+  description = "Number of prewarmed Lambda instances"
+  type        = number
+}
+
+variable "lambda_insights_extension_version" {
+  description = "version number of LambdaInsightsExtension"
+  type        = number
+}
diff --git a/infrastructure/modules/splunk_forwarder/data.tf b/infrastructure/modules/splunk_forwarder/data.tf
new file mode 100644
index 00000000..8fc4b38c
--- /dev/null
+++ b/infrastructure/modules/splunk_forwarder/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/infrastructure/modules/splunk_forwarder/firehose.tf b/infrastructure/modules/splunk_forwarder/firehose.tf
new file mode 100644
index 00000000..f7ba2154
--- /dev/null
+++ b/infrastructure/modules/splunk_forwarder/firehose.tf
@@ -0,0 +1,45 @@
+# KMS Key for Firehose encryption
+resource "aws_kms_key" "firehose_splunk_cmk" {
+  description             = "KMS key for encrypting Kinesis Firehose delivery stream data"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags = {
+    Name      = "firehose-splunk-cmk"
+    Purpose   = "Firehose encryption"
+    ManagedBy = "terraform"
+  }
+}
+
+# KMS Key Alias for easier identification
+resource "aws_kms_alias" "firehose_splunk_cmk_alias" {
+  name          = "alias/firehose-splunk-cmk"
+  target_key_id = aws_kms_key.firehose_splunk_cmk.key_id
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "splunk_delivery_stream" {
+  name        = "splunk-alarm-events"
+  destination = "splunk"
+  server_side_encryption {
+    enabled  = true
+    key_type = "CUSTOMER_MANAGED_CMK"
+    key_arn  = aws_kms_key.firehose_splunk_cmk.arn
+  }
+  # VPC configuration is only supported for HTTP endpoint destinations in Kinesis Firehose
+  # For Splunk destinations, the service runs in AWS-managed VPC but you can control network access
+  # via the subnets where EventBridge (the source) runs and IAM policies
+
+  splunk_configuration {
+    hec_endpoint      = var.splunk_hec_endpoint
+    hec_token         = var.splunk_hec_token
+    hec_endpoint_type = "Raw"
+    s3_backup_mode    = "FailedEventsOnly"
+
+    s3_configuration {
+      role_arn           = var.splunk_firehose_s3_role_arn
+      bucket_arn         = var.splunk_firehose_s3_backup_arn
+      buffering_size     = 10
+      buffering_interval = 400
+      compression_format = "GZIP"
+    }
+  }
+}
diff --git a/infrastructure/modules/splunk_forwarder/iam.tf b/infrastructure/modules/splunk_forwarder/iam.tf
new file mode 100644
index 00000000..7b5c5946
--- /dev/null
+++ b/infrastructure/modules/splunk_forwarder/iam.tf
@@ -0,0 +1,56 @@
+# EventBridge IAM roles now defined in api-layer stack for specific integration
+
+resource "aws_kms_key_policy" "firehose_splunk_cmk_policy" {
+  key_id = aws_kms_key.firehose_splunk_cmk.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid       = "AllowRootAccountFullAccess"
+        Effect    = "Allow"
+        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
+        Action    = "kms:*"
+        Resource  = "*"
+      },
+      {
+        Sid       = "AllowFirehoseServiceUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "firehose.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid       = "AllowEventBridgeUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "events.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid       = "AllowCloudWatchUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "cloudwatch.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
diff --git a/infrastructure/modules/splunk_forwarder/outputs.tf b/infrastructure/modules/splunk_forwarder/outputs.tf
new file mode 100644
index 00000000..03bcfe1a
--- /dev/null
+++ b/infrastructure/modules/splunk_forwarder/outputs.tf
@@ -0,0 +1,11 @@
+# Output the Firehose delivery stream ARN for use by EventBridge
+output "firehose_delivery_stream_arn" {
+  description = "ARN of the Kinesis Firehose delivery stream for Splunk"
+  value       = aws_kinesis_firehose_delivery_stream.splunk_delivery_stream.arn
+}
+
+# Output the KMS key ARN for reference
+output "firehose_kms_key_arn" {
+  description = "ARN of the KMS key used for Firehose encryption"
+  value       = aws_kms_key.firehose_splunk_cmk.arn
+}
diff --git a/infrastructure/modules/splunk_forwarder/variables.tf b/infrastructure/modules/splunk_forwarder/variables.tf
new file mode 100644
index 00000000..3307fb1b
--- /dev/null
+++ b/infrastructure/modules/splunk_forwarder/variables.tf
@@ -0,0 +1,19 @@
+variable "splunk_hec_endpoint" {
+  description = "Splunk HEC endpoint URL"
+  type        = string
+}
+
+variable "splunk_hec_token" {
+  description = "Splunk HEC token"
+  type        = string
+}
+
+variable "splunk_firehose_s3_backup_arn" {
+  description = "s3 bucket ARN for Firehose backups"
+  type        = string
+}
+
+variable "splunk_firehose_s3_role_arn" {
+  description = "IAM role ARN for Firehose to access S3"
+  type        = string
+}
diff --git a/infrastructure/stacks/api-layer/eventbridge.tf b/infrastructure/stacks/api-layer/eventbridge.tf
new file mode 100644
index 00000000..99c97f90
--- /dev/null
+++ b/infrastructure/stacks/api-layer/eventbridge.tf
@@ -0,0 +1,89 @@
+# IAM role for EventBridge to write to Firehose
+resource "aws_iam_role" "eventbridge_firehose_role" {
+  name = "${var.environment}-eventbridge-to-firehose-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Service = "events.amazonaws.com"
+      }
+      Action = "sts:AssumeRole"
+    }]
+  })
+
+  tags = {
+    Environment = var.environment
+    Purpose     = "splunk-forwarding"
+    ManagedBy   = "terraform"
+  }
+}
+
+# IAM policy for EventBridge to access Firehose
+resource "aws_iam_role_policy" "eventbridge_to_firehose_policy" {
+  name = "${var.environment}-eventbridge-to-firehose-policy"
+  role = aws_iam_role.eventbridge_firehose_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "firehose:PutRecord",
+        "firehose:PutRecordBatch"
+      ]
+      Resource = module.splunk_forwarder.firehose_delivery_stream_arn
+    }]
+  })
+}
+
+# EventBridge rule to capture CloudWatch alarm state changes
+resource "aws_cloudwatch_event_rule" "alarm_state_change" {
+  name        = "cloudwatch-alarm-state-change-to-splunk"
+  description = "Forward CloudWatch alarm state changes to Splunk via Firehose"
+
+  event_pattern = jsonencode({
+    source      = ["aws.cloudwatch"]
+    detail-type = ["CloudWatch Alarm State Change"]
+  })
+
+  tags = {
+    Environment = var.environment
+    Purpose     = "splunk-forwarding"
+    ManagedBy   = "terraform"
+  }
+}
+
+# EventBridge target to send events to Firehose
+resource "aws_cloudwatch_event_target" "firehose_target" {
+  rule     = aws_cloudwatch_event_rule.alarm_state_change.name
+  arn      = module.splunk_forwarder.firehose_delivery_stream_arn
+  role_arn = aws_iam_role.eventbridge_firehose_role.arn
+
+  # Transform the CloudWatch alarm event into a format suitable for Splunk
+  input_transformer {
+    input_paths = {
+      account    = "$.account"
+      region     = "$.region"
+      time       = "$.time"
+      alarm_name = "$.detail.alarmName"
+      new_state  = "$.detail.state.value"
+      old_state  = "$.detail.previousState.value"
+      reason     = "$.detail.state.reason"
+    }
+
+    input_template = jsonencode({
+      time = "<time>"
+      source = "elid-${var.environment}:cloudwatch:alarm"
+      sourcetype = "aws:cloudwatch:alarm"
+      event = {
+        alarm_name  = "<alarm_name>"
+        new_state   = "<new_state>"
+        old_state   = "<old_state>"
+        reason      = "<reason>"
+        region      = "<region>"
+      }
+    })
+  }
+}
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
index 5f384895..7e4ed0b3 100644
--- a/infrastructure/stacks/api-layer/iam_policies.tf
+++ b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -189,6 +189,12 @@ resource "aws_iam_role_policy_attachment" "lambda_logs_policy_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+#Attach CloudWatchLambdaInsightsExecutionRolePolicy to lambda for enhanced monitoring
+resource "aws_iam_role_policy_attachment" "lambda_insights_policy" {
+  role       = aws_iam_role.eligibility_lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
+}
+
 # Policy doc for S3 Audit bucket
 data "aws_iam_policy_document" "s3_audit_bucket_policy" {
   statement {
@@ -284,6 +290,52 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
   policy = data.aws_iam_policy_document.s3_rules_kms_key_policy.json
 }
 
+resource "aws_iam_role_policy" "splunk_firehose_policy" {
+  name = "splunk-firehose-policy"
+  role = aws_iam_role.splunk_firehose_assume_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      # Allow Firehose to write to S3 backup bucket
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:PutObject",
+          "s3:PutObjectAcl",
+          "s3:GetBucketLocation",
+          "s3:ListBucket"
+        ],
+        Resource = [
+          module.s3_firehose_backup_bucket.storage_bucket_arn,
+          "${module.s3_firehose_backup_bucket.storage_bucket_arn}/*"
+        ]
+      },
+      # Allow Firehose to use KMS key for S3 encryption
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+          "kms:DescribeKey"
+        ],
+        Resource = [module.s3_firehose_backup_bucket.storage_bucket_kms_key_arn]
+      },
+      # Allow logging to CloudWatch
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:PutLogEvents",
+          "logs:CreateLogStream",
+          "logs:CreateLogGroup"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 data "aws_iam_policy_document" "s3_audit_kms_key_policy" {
   #checkov:skip=CKV_AWS_111: Root user needs full KMS key management
   #checkov:skip=CKV_AWS_356: Root user needs full KMS key management
diff --git a/infrastructure/stacks/api-layer/iam_roles.tf b/infrastructure/stacks/api-layer/iam_roles.tf
index 2fe2618d..0289bb8c 100644
--- a/infrastructure/stacks/api-layer/iam_roles.tf
+++ b/infrastructure/stacks/api-layer/iam_roles.tf
@@ -33,7 +33,27 @@ data "aws_iam_policy_document" "firehose_assume_role" {
   }
 }
 
-# Roles
+resource "aws_iam_role" "splunk_firehose_assume_role" {
+  name = "splunk-firehose-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Principal = {
+        Service = "firehose.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+  tags = {
+    Environment = var.environment
+    Purpose     = "firehose-service-role"
+    ManagedBy   = "terraform"
+  }
+}
+
+# Note: EventBridge IAM roles are defined in eventbridge.tf for proper separation of concerns
 
 resource "aws_iam_role" "eligibility_lambda_role" {
   name                 = "eligibility_lambda-role${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
diff --git a/infrastructure/stacks/api-layer/lambda.tf b/infrastructure/stacks/api-layer/lambda.tf
index 68885b6d..5c71a278 100644
--- a/infrastructure/stacks/api-layer/lambda.tf
+++ b/infrastructure/stacks/api-layer/lambda.tf
@@ -11,19 +11,23 @@ data "aws_subnet" "private_subnets" {
 }
 
 module "eligibility_signposting_lambda_function" {
-  source                          = "../../modules/lambda"
-  eligibility_lambda_role_arn     = aws_iam_role.eligibility_lambda_role.arn
-  workspace                       = local.workspace
-  environment                     = var.environment
-  lambda_func_name                = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
-  security_group_ids              = [data.aws_security_group.main_sg.id]
-  vpc_intra_subnets               = [for v in data.aws_subnet.private_subnets : v.id]
-  file_name                       = "../../../dist/lambda.zip"
-  handler                         = "eligibility_signposting_api.app.lambda_handler"
-  eligibility_rules_bucket_name   = module.s3_rules_bucket.storage_bucket_name
-  eligibility_status_table_name   = module.eligibility_status_table.table_name
-  kinesis_audit_stream_to_s3_name = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
-  log_level                       = "INFO"
-  enable_xray_patching            = "true"
-  stack_name                      = local.stack_name
+  source                            = "../../modules/lambda"
+  eligibility_lambda_role_arn       = aws_iam_role.eligibility_lambda_role.arn
+  eligibility_lambda_role_name      = aws_iam_role.eligibility_lambda_role.name
+  workspace                         = local.workspace
+  environment                       = var.environment
+  runtime                           = "python3.13"
+  lambda_func_name                  = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_signposting_api"
+  security_group_ids                = [data.aws_security_group.main_sg.id]
+  vpc_intra_subnets                 = [for v in data.aws_subnet.private_subnets : v.id]
+  file_name                         = "../../../dist/lambda.zip"
+  handler                           = "eligibility_signposting_api.app.lambda_handler"
+  eligibility_rules_bucket_name     = module.s3_rules_bucket.storage_bucket_name
+  eligibility_status_table_name     = module.eligibility_status_table.table_name
+  kinesis_audit_stream_to_s3_name   = module.eligibility_audit_firehose_delivery_stream.firehose_stream_name
+  lambda_insights_extension_version = 38
+  log_level                         = "INFO"
+  enable_xray_patching              = "true"
+  stack_name                        = local.stack_name
+  provisioned_concurrency_count     = 5
 }
diff --git a/infrastructure/stacks/api-layer/s3_buckets.tf b/infrastructure/stacks/api-layer/s3_buckets.tf
index a1c55457..a2dc4af5 100644
--- a/infrastructure/stacks/api-layer/s3_buckets.tf
+++ b/infrastructure/stacks/api-layer/s3_buckets.tf
@@ -16,3 +16,12 @@ module "s3_audit_bucket" {
   stack_name             = local.stack_name
   workspace              = terraform.workspace
 }
+
+module "s3_firehose_backup_bucket" {
+  source       = "../../modules/s3"
+  bucket_name  = "eli-splunk"
+  environment  = var.environment
+  project_name = var.project_name
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
+}
diff --git a/infrastructure/stacks/api-layer/splunk_forwarder.tf b/infrastructure/stacks/api-layer/splunk_forwarder.tf
new file mode 100644
index 00000000..d794496d
--- /dev/null
+++ b/infrastructure/stacks/api-layer/splunk_forwarder.tf
@@ -0,0 +1,13 @@
+module "splunk_forwarder" {
+  source = "../../modules/splunk_forwarder"
+
+  splunk_hec_endpoint           = aws_ssm_parameter.splunk_hec_endpoint.value
+  splunk_hec_token              = aws_ssm_parameter.splunk_hec_token.value
+  splunk_firehose_s3_role_arn   = aws_iam_role.splunk_firehose_assume_role.arn
+  splunk_firehose_s3_backup_arn = module.s3_firehose_backup_bucket.storage_bucket_arn
+
+  depends_on = [
+    aws_ssm_parameter.splunk_hec_token,
+    aws_ssm_parameter.splunk_hec_endpoint
+  ]
+}
diff --git a/infrastructure/stacks/api-layer/ssm.tf b/infrastructure/stacks/api-layer/ssm.tf
new file mode 100644
index 00000000..6b17bf93
--- /dev/null
+++ b/infrastructure/stacks/api-layer/ssm.tf
@@ -0,0 +1,94 @@
+resource "aws_kms_key" "splunk_hec_kms" {
+  description             = "KMS key for encrypting Splunk HEC SSM parameters"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags = {
+    Name        = "splunk-hec-ssm-kms-key"
+    Environment = var.environment
+    Stack       = local.stack_name
+    Purpose     = "Splunk HEC SSM encryption"
+    ManagedBy   = "terraform"
+  }
+}
+
+resource "aws_kms_key_policy" "splunk_hec_kms_policy" {
+  key_id = aws_kms_key.splunk_hec_kms.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid       = "AllowRootAccountFullAccess"
+        Effect    = "Allow"
+        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
+        Action    = "kms:*"
+        Resource  = "*"
+      },
+      {
+        Sid       = "AllowSSMServiceUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "ssm.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid       = "AllowFirehoseServiceUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "firehose.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+resource "aws_ssm_parameter" "splunk_hec_token" {
+  name        = "/splunk/hec/token"
+  description = "Splunk HEC token"
+  type        = "SecureString"
+  key_id      = aws_kms_key.splunk_hec_kms.id # Will migrate to customer key after initial creation
+  value       = var.splunk_hec_token
+  tier        = "Advanced"
+
+  tags = {
+    Environment = var.environment
+    Stack       = local.stack_name
+    Purpose     = "Splunk HEC token"
+    ManagedBy   = "terraform"
+  }
+
+  lifecycle {
+    ignore_changes = [value] # Needs manual changes in future
+  }
+}
+
+resource "aws_ssm_parameter" "splunk_hec_endpoint" {
+  name        = "/splunk/hec/endpoint"
+  description = "Splunk HEC endpoint"
+  type        = "SecureString"
+  key_id      = aws_kms_key.splunk_hec_kms.id
+  value       = var.splunk_hec_endpoint
+  tier        = "Advanced"
+
+  tags = {
+    Environment = var.environment
+    Stack       = local.stack_name
+    Purpose     = "Splunk HEC endpoint"
+    ManagedBy   = "terraform"
+  }
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
diff --git a/infrastructure/stacks/api-layer/variables.tf b/infrastructure/stacks/api-layer/variables.tf
new file mode 100644
index 00000000..b88139b1
--- /dev/null
+++ b/infrastructure/stacks/api-layer/variables.tf
@@ -0,0 +1,10 @@
+variable "splunk_hec_token" {
+  type        = string
+  description = "The HEC token for ITOC splunk"
+  sensitive   = true
+}
+variable "splunk_hec_endpoint" {
+  type        = string
+  description = "The HEC endpoint url for ITOC splunk"
+  sensitive   = true
+}
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index cb72a796..9918d1b4 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -62,10 +62,17 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:ListAliases",
           "lambda:AddPermission",
           "lambda:RemovePermission",
-          "lambda:GetPolicy"
+          "lambda:GetPolicy",
+          "lambda:GetAlias",
+          "lambda:GetFunction",
+          "lambda:GetProvisionedConcurrencyConfig",
+          "lambda:GetLayerVersion",
+          "lambda:PutProvisionedConcurrencyConfig"
         ],
         Resource = [
-          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*eligibility_signposting_api"
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api",
+          "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*",
+          "arn:aws:lambda:*:580247275435:layer:LambdaInsightsExtension:*"
         ]
       }
     ]
@@ -465,29 +472,6 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
   }
 }
 
-resource "aws_iam_policy" "cloudwatch_logging" {
-  name        = "cloudwatch-logging-management"
-  description = "Allow access to logging resources"
-  path        = "/service-policies/"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:ListTagsForResource",
-          "logs:DescribeLogGroups",
-          "logs:PutRetentionPolicy"
-        ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
-      }
-    ]
-  })
-
-  tags = merge(local.tags, { Name = "cloudwatch-logging-management" })
-}
-
 resource "aws_iam_policy" "firehose_readonly" {
   name        = "firehose-describe-access"
   description = "Allow GitHub Actions to describe Firehose delivery stream"
@@ -518,9 +502,9 @@ resource "aws_iam_policy" "firehose_readonly" {
   tags = merge(local.tags, { Name = "firehose-describe-access" })
 }
 
-resource "aws_iam_policy" "cloudwatch_alarms" {
-  name        = "cloudwatch-alarms-management"
-  description = "Allow GitHub Actions to manage CloudWatch alarms and SNS topics"
+resource "aws_iam_policy" "cloudwatch_management" {
+  name        = "cloudwatch-management"
+  description = "Allow GitHub Actions to manage CloudWatch logs, alarms, and SNS topics"
   path        = "/service-policies/"
 
   policy = jsonencode({
@@ -529,7 +513,10 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
       {
         Effect = "Allow",
         Action = [
-          # CloudWatch Alarms management
+          "logs:ListTagsForResource",
+          "logs:DescribeLogGroups",
+          "logs:PutRetentionPolicy",
+
           "cloudwatch:PutMetricAlarm",
           "cloudwatch:DeleteAlarms",
           "cloudwatch:DescribeAlarms",
@@ -537,7 +524,7 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
           "cloudwatch:ListTagsForResource",
           "cloudwatch:TagResource",
           "cloudwatch:UntagResource",
-          # SNS Topic management for alarm notifications
+
           "sns:CreateTopic",
           "sns:DeleteTopic",
           "sns:GetTopicAttributes",
@@ -552,6 +539,7 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
           "sns:ListSubscriptionsByTopic"
         ],
         Resource = [
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*",
           "arn:aws:cloudwatch:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:alarm:*",
           "arn:aws:sns:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:cloudwatch-security-alarms*"
         ]
@@ -559,7 +547,7 @@ resource "aws_iam_policy" "cloudwatch_alarms" {
     ]
   })
 
-  tags = merge(local.tags, { Name = "cloudwatch-alarms-management" })
+  tags = merge(local.tags, { Name = "cloudwatch-management" })
 }
 
 # Attach the policies to the role
@@ -598,17 +586,12 @@ resource "aws_iam_role_policy_attachment" "iam_management" {
   policy_arn = aws_iam_policy.iam_management.arn
 }
 
-resource "aws_iam_role_policy_attachment" "cloudwatch_logging" {
-  role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.cloudwatch_logging.arn
-}
-
 resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.firehose_readonly.arn
 }
 
-resource "aws_iam_role_policy_attachment" "cloudwatch_alarms" {
+resource "aws_iam_role_policy_attachment" "cloudwatch_management" {
   role       = aws_iam_role.github_actions.name
-  policy_arn = aws_iam_policy.cloudwatch_alarms.arn
+  policy_arn = aws_iam_policy.cloudwatch_management.arn
 }
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
index 4b37cde6..a403aa8a 100644
--- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
+++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -150,6 +150,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:AddPermission",
       "lambda:RemovePermission",
       "lambda:GetPolicy",
+      "lambda:GetAlias",
+      "lambda:GetProvisionedConcurrencyConfig",
+      "lambda:GetLayerVersion",
+      "lambda:PutProvisionedConcurrencyConfig",
 
       # CloudWatch Logs - log management
       "logs:CreateLogGroup",
diff --git a/scripts/config/vale/styles/config/vocabularies/words/accept.txt b/scripts/config/vale/styles/config/vocabularies/words/accept.txt
index 603ea003..6791454f 100644
--- a/scripts/config/vale/styles/config/vocabularies/words/accept.txt
+++ b/scripts/config/vale/styles/config/vocabularies/words/accept.txt
@@ -3,6 +3,7 @@ Bitwarden
 bot
 Cyber
 Dependabot
+dev
 Gitleaks
 Grype
 idempotence
@@ -11,12 +12,14 @@ OAuth
 Octokit
 onboarding
 Podman
+preprod
 Proxygen
 Python
 README
 Redocly
 sed
 subnet
+Splunk
 Syft
 Terraform
 toolchain